Forum
User setting own password
An editor thinks her emails may have been hacked and she asked me to change her Editor password for her Perch access just in case. This is the first time I have had to return to the Users page to do something of this kind
I was surprised to find I can't allocate a password. There seems to be no facility for me as the admin to do so, unless I am missing something.
I think it's a significant security exposure to allow editors to choose their own passwords. What if they choose an easy to guess password?
Am I missing something here?
People should set their own password as the alternative would be to send a password through email, which would be a security risk. You should remind users to choose a secure password.
As there is no mechanism for the Admin to inspect the passwords chosen, I think this is placing too much trust in the common sense of the user.
I would be surprised to learn that this policy is acceptable to corporates and whilst it is masked by the initial set up process whereby the Admin DOES set the password (and emails it to the user), it is exposed immediately a password change is required for any reason.
I know password suites are relatively complex and you might not wish to invest the effort in having one of your own, but the current system is possibly not the best that could be achieved.
How about allowing the Admin to see the user-selected passwords? At least he/she could then ask the user to choose something better.
It's a greater risk for the admin to be able to see the passwords - only the user should know their password.
If your users are choosing weak passwords, you can enable the various password strength options:
https://docs.grabaperch.com/docs/installing-perch/configuration/security/
OK. I appreciate this issue involves trade-offs whichever approach is taken.
I will take your advice